Commit graph

52 commits

Author SHA1 Message Date
adam
9071d6b787 Revbump after updating textproc/icu 2015-04-06 08:17:13 +00:00
he
2bd675cb66 Update to version 1.4.7.
Changes:
 * The patch for SUPPORT-147 got integrated upstream.
 * Regenerate enforcer/utils/Makefile.in diff

Upstream changes:
 * SUPPORT-147: Zone updating via zone transfer can get stuck
 * Crash on 'retransfer command when not using DNS adapters.
2014-12-04 15:58:21 +00:00
he
80c82f118e There's one more useless ntohl(), get rid of that as well.
Bump PKGREVISION.
2014-11-04 09:41:02 +00:00
he
0e26430931 Fix a bug related to restoring various data from .xfrd-state files:
there's no need to byte-swap values read from a local file.
This would cause some IXFRs to mysteriously and consistently fail
until manual intervention is done, because the wrong (byte-swapped)
SOA serial# was being stuffed into the IXFR requests.

Ref. https://issues.opendnssec.org/browse/SUPPORT-147.

Also fix the rc.d script to not insist that the components must be
running to allow "stop" to proceed, so that "restart" or "stop" can
be done if one or both of the processes have exited or crashed.

Bump PKGREVISION.
2014-10-31 16:32:39 +00:00
he
74b2581678 Add an rc.d script for NetBSD. 2014-10-28 13:26:37 +00:00
adam
243c29c4cc Revbump after updating libwebp and icu 2014-10-07 16:47:10 +00:00
pettai
e092a16ae0 OpenDNSSEC 1.4.6 - 2014-07-21
* Signer Engine: Print secondary server address when logging notify reply
  errors.
* Build: Fixed various OpenBSD compatibility issues.
* OPENDNSSEC-621: conf.xml: New options: <PidFile> for both enforcer and
  signer, and <SocketFile> for the signer.
* New tool: ods-getconf: to retrieve a configuration value from conf.xml
  given an expression.

Bugfixes:
* OPENDNSSEC-469: ods-ksmutil: 'zone add' command when zonelist.xml.backup
  can't be written zone is still added to database, solved it by checking the
  zonelist.xml.backup is writable before adding zones, and add error message
  when add zone failed.
* OPENDNSSEC-617: Signer Engine: Fix DNS Input Adapter to not reject zone
  the first time due to RFC 1982 serial arethmetic.
* OPENDNSSEC-619: memory leak when signer failed, solved it by add
  ldns_rr_free(signature) in libhsm.c
* OPENDNSSEC-627: Signer Engine: Unable to update serial after restart
  when the backup files has been removed.
* OPENDNSSEC-628: Signer Engine: Ingored notifies log level is changed
  from debug to info.
* OPENDNSSEC-630: Signer Engine: Fix inbound zone transfer for root zone.
* libhsm: Fixed a few other memory leaks.
* simple-dnskey-mailer.sh: Fix syntax error.
2014-09-27 19:41:06 +00:00
pettai
9f73bc24c3 OpenDNSSEC 1.4.5
Bugfixes:
* OPENDNSSEC-607: libhsm not using all mandatory attributes for GOST key
  generation.
* OPENDNSSEC-609: ods-ksmutil: 'key list' command fails with error in 1.4.4
  on MySQL.
2014-06-09 10:18:12 +00:00
obache
d8fc20e0b0 recursive bump from icu shlib major bump. 2014-04-09 07:26:56 +00:00
pettai
9e047b710a OpenDNSSEC 1.4.4:
* SUPPORT-114: libhsm: Optimize storage in HSM by deleting the public
  key directly if SkipPublicKey is used [OPENDNSSEC-574].
* OPENDNSSEC-358: ods-ksmutil:Extend 'key list' command with options to filter
  on key type and state. This allows keys in the GENERATE and DEAD state to be
  output.
* OPENDNSSEC-457: ods-ksmutil: Add a check on the 'zone add' input/output
  type parameter to allow only File or DNS.
* OPENDNSSEC-549: Signer Engine: Put NSEC3 records on empty non-terminals
  derived from unsigned delegations (be compatible with servers that are
  incompatible with RFC 5155 errata 3441).
* Make/build: Include README.md in dist tar-ball.

Bugfixes:
* SUPPORT-86: Fixed build on OS X [OPENDNSSEC-512].
* SUPPORT-97: Signer Engine: Fix after restart signer thinks zone has expired
  [OPENDNSSEC-526].
* SUPPORT-101: Signer Engine: Fix multiple zone transfer to single file bug
  [OPENDNSSEC-529].
* SUPPORT-102: Signer Engine: Fix statistics (count can be negative)/
* SUPPORT-108: Signer Engine: Don't replace tabs in RRs with whitespace
  [OPENDNSSEC-520].
* SUPPORT-116: ods-ksmutil: 'key import' date validation fails on certain
  dates [OPENDNSSEC-553].
* SUPPORT-128: ods-ksmutil. Man page had incorrect formatting [OPENDNSSEC-576].
* SUPPORT-127: ods-signer: Fix manpage sections.
* OPENDNSSEC-481: libhsm: Fix an off-by-one length check error.
* OPENDNSSEC-482: libhsm: Improved cleanup for C_FindObjects.
* OPENDNSSEC-531: ods-ksmutil: Exported value of <Parent><SOA><TTL> in
  'policy export' output could be wrong on MySQL.
* OPENDNSSEC-537: libhsm: Possible memory corruption in hsm_get_slot_id.
* OPENDNSSEC-544: Signer Engine: Fix assertion error that happens on an IXFR
  request with EDNS.
* OPENDNSSEC-546: enforcer & ods-ksmutil: Improve logging on key creation
  and alloctaion.
* OPENDNSSEC-560: Signer Engine: Don't crash when unsigned zone has no SOA.
* Signer Engine: Fix a race condition when stopping daemon.
2014-03-27 19:51:06 +00:00
tron
c64e9eb269 Recursive PKGREVISION bump for OpenSSL API version bump. 2014-02-12 23:18:26 +00:00
pettai
ed8e9b5eb3 OpenDNSSEC 1.4.3:
Updates:
* SUPPORT-72: Improve logging when failed to increment serial in case of
  key rollover and serial value "keep" [OPENDNSSEC-461].
* OPENDNSSEC-106: Add 'ods-enforcerd -p <policy>' option. This prompts
  the enforcer to run once and only process the specified policy
  and associated zones.
* OPENDNSSEC-330: NSEC3PARAM TTL can now be optionally configured in kasp.xml.
  Default value remains PT0S.
* OPENDNSSEC-390: ods-ksmutil: Add an option to the 'ods-ksmutil key ds-seen'
  command so the user can choose not to notify the enforcer.
* OPENDNSSEC-430: ods-ksmutil: Improve 'zone add' - Zone add command could
  warn if a specified zone file or adapter file does not exits.
* OPENDNSSEC-431: ods-ksmutil: Improve 'zone add' - Support default <input>
  and <output> values for DNS adapters.
* OPENDNSSEC-454: ods-ksmutil: Add option for 'ods-ksmutil key import'
  to check if there is a matching key in the repository before import.

Bugfixes:
* OPENDNSSEC-435: Signer Engine: Fix a serious memory leak in signature cleanup.
* OPENDNSSEC-463: Signer Engine: Duration PT0S is now printed correctly.
* OPENDNSSEC-466: Signer Engine: Created bad TSIG signature when falling back
  to AXFR.
* OPENDNSSEC-467: Signer Engine: After ods-signer clear, signer should not use
  inbound serial.
2013-12-05 12:56:14 +00:00
jperkin
2419c817f0 Pull in OpenSSL to fix non-builtin case. Use C99. Fixes SunOS build.
Patches from Sebastian Wiedenroth.
2013-12-04 17:03:02 +00:00
adam
63c018902c Revbump after updating textproc/icu 2013-10-19 09:06:55 +00:00
pettai
85dd7695f4 Updated MESSAGE file to reflect current 2013-09-17 12:34:45 +00:00
pettai
72c20b69a6 OpenDNSSEC 1.4.2 - 2013-09-11
* OPENDNSSEC-428: ods-ksmutil: Add option for 'ods-ksmutil key generate' to
  take number of zones as a parameter

Bugfixes:
* SUPPORT-66: Signer Engine: Fix file descriptor leak in case of TCP write
  error [OPENDNSSEC-427].
* SUPPORT-71: Signer Engine: Fix double free crash in case of HSM connection
  error during signing [OPENDNSSEC-444].
* OPENDNSSEC-401: 'ods-signer sign <zone> --serial <nr>' command produces seg
  fault when run directly on command line (i.e. not via interactive mode)
* OPENDNSSEC-440: 'ods-ksmutil key generate' and the enforcer can create
  too many keys if there are keys already available and the KSK and ZSK use
  same algorithm and length
* OPENDNSSEC-424: Signer Engine: Respond to SOA queries from file instead
  of memory. Makes response non-blocking.
* OPENDNSSEC-425 Change "hsmutil list" output so that the table header goes
  to stdout not stderr
* OPENDNSSEC-438: 'ods-ksmutil key generate' and the enforcer can create
  too many keys for <SharedKeys/> policies when KSK and ZSK use same
  algorithm and length
* OPENDNSSEC-443: ods-ksmutil: Clean up of hsm connection handling
* Signer Engine: Improved Inbound XFR checking.
* Signer Engine: Fix double free corruption in case of adding zone with
  DNS Outbound Adapters and NotifyCommand enabled.
2013-09-13 21:59:51 +00:00
he
a7c1be6a61 Update OpenDNSSEC from version 1.3.14nb1 to 1.4.1.
Pkgsrc changes:
 * Get rid of ruby dependencies, since the validator is no longer
   included in OpenDNSSEC
 * Adapt PLIST to changes in installed files
 * Add a patch so that the database migration scripts are installed
   as part of the package

Upstream notable changes:
 *  SUPPORT-58: Extend ods-signer sign <zone> with -serial <nr> so
    that the user can specify the SOA serial to use in the signed
    zone [OPENDNSSEC-401].
 *  OPENDNSSEC-91: Make the keytype flag required when rolling keys

Bugfixes:
 *  SUPPORT-60: Fix datecounter in case inbound serial is higher
    than outbound serial [OPENDNSSEC-420].
 *  OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on
    SOA Minimum change.
 *  OPENDNSSEC-421: Signer Engine: Fix assertion error in case
    NSEC3 hash algorithm in signconf is not SHA1.
 *  OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm
    in kasp is valid.
 *  Bugfix: The time when inbound serial is acquired was reset
    invalidly, could cause OpenDNSSEC wanting AXFR responses while
    requesting IXFR (thanks Stuart Lau).
 *  Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet
    (thanks Stuart Lau).
 *  OPENDNSSEC-398: The ods-ksmutil key rollover command does not
    work correctly when rolling all keys using the -policy option
2013-08-22 11:05:45 +00:00
jperkin
b091c2f172 Bump PKGREVISION of all packages which create users, to pick up change of
sysutils/user_* packages.
2013-07-12 10:44:52 +00:00
pettai
f6c3532bfa OpenDNSSEC 1.3.14 - 2013-05-16
* OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the algorithm for
  a key is changed in a policy (as this rollover is not handled cleanly)
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
* OPENDNSSEC-403: Signer Engine: new command 'ods-signer locks' that shows
  locking information (for debugging purposes).

Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA
  Minimum change.
* OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for
  output.
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
  when rolling all keys using the --policy option
* SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers.
2013-06-15 16:42:48 +00:00
adam
1ab43a036f Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu. 2013-05-09 07:39:04 +00:00
pettai
78e9163195 OpenDNSSEC 1.3.13 - 2013-02-20
Bugfixes:
* OPENDNSSEC-388: Signer Engine: Internal serial should take into account
  the inbound serial.
* OPENDNSSEC-242: Signer Engine: Could get stuck on load signconf while
  signconf was not changed.
* Signer Engine: Fixed locking and notification on the drudge work queue,
  signals could be missed so that drudgers would stall when there was work to
  be done.
2013-02-21 15:51:17 +00:00
taca
4235ca219d Depends on rubygems when ruby's version is 1.8.7.
Bump PKGREVISION.
2013-02-11 05:01:13 +00:00
adam
f4c3b89da7 Revbump after graphics/jpeg and textproc/icu 2013-01-26 21:36:13 +00:00
pettai
266379a004 OpenDNSSEC 1.3.12 - 2012-12-03
Bugfixes:
* SUPPORT-42: ./configure fails on FreeBSD (or if ldns is not installed in a
  directory in the default search path of the complier).
* OpenDNSSEC does not compile against ldns 1.6.16 on platforms that rely on
  the OpenDNSSEC implementation of strlcpy/cat
2012-12-05 20:03:59 +00:00
pettai
8e2418cca1 OpenDNSSEC 1.3.11
* OPENDNSSEC-330: NSEC3PARAM TTL should be set to zero.

Bugfixes:
* OPENDNSSEC-306: Cant delete zone until Enforcer made signerconf.
* OPENDNSSEC-281: Commandhandler sometimes unresponsive.
* OPENDNSSEC-299: ods-ksmutil <enter> now includes policy import
* OPENDNSSEC-300: ods-ksmutil policy purge documented with a warning
* OPENDNSSEC-338: ods-ksmutil: fix zone delete on MySQL (broken by SUPPORT-27)
* OPENDNSSEC-342: Auditor comparisons made case-insensitive
* OPENDNSSEC-345: ods-ksmutil: use ods-control to HUP the enforcerd process
2012-11-13 16:32:25 +00:00
asau
1a433eae91 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-23 18:16:19 +00:00
pettai
7c057155a7 OpenDNSSEC 1.3.10
Bugfixes:
* SUPPORT-30: RRSIGs are left in the signed zone when authoritative RRsets
  become glue [OPENDNSSEC-282].
* OPENDNSSEC-261: Ldns fails to parse RR that seems syntactically correct.
  Was due to memory allocation issues. Provided better log message.
* OPENDNSSEC-285: Signer segfault for 6 or more -v options
* OPENDNSSEC-298: Only unlink existing pidfile on exit if we wrote it.
* OPENDNSSEC-303: Return if open/parse of zonelist.xml fails in ksmutil.c
  update_zones() and cmd_listzone().
* OPENDNSSEC-304: Signer Engine: Check pidfile on startup, if pidfile exists
  and corresponding process is running, then complain and exit.
* Signer seems to hang on a ods-signer command. Shutdown client explicitly
  with shutdown().
* opendnssec.spec file removed
2012-08-13 13:50:06 +00:00
pettai
2eef658743 OpenDNSSEC 1.3.9
* OPENDNSSEC-277: Enforcer: Performance optimisation of database access.

Bugfixes:
* SUPPORT-27: ods-ksmutil: simplify zone delete so that it only marks keys as
  dead (rather than actually removing them). Leave the key removal to purge
  jobs.

(Ok'ed by wiz@)
2012-06-21 12:46:12 +00:00
sbd
21792a9296 Recursive PKGREVISION bump for libxml2 buildlink addition. 2012-06-14 07:43:06 +00:00
pettai
448d8b50ff OpenDNSSEC 1.3.8
* OPENDNSSEC-228: Signer Engine: Make 'ods-signer update' reload signconfs
  even if zonelist has not changed.
* OPENDNSSEC-231: Signer Engine: Allow for Classless IN-ADDR.ARPA names
  (RFC 2317).
* OPENDNSSEC-234: Enforcer: Add indexes for foreign keys in kasp DB. (sqlite
  only, MySQL already has them.)
* OPENDNSSEC-246: Signer Engine: Warn if <Audit/> is in signer configuration,
  but ods-auditor is not installed
* OPENDNSSEC-249: Enforcer: ods-ksmutil: If key export finds nothing to do
  then say so rather than display nothing which might be misinterpreted.

Bugfixes:
* OPENDNSSEC-247: Signer Engine: TTL on NSEC(3) was not updated on SOA
  Minimum change.
* OPENDNSSEC-253: Enforcer: Fix "ods-ksmutil zone delete --all"
2012-05-23 10:09:21 +00:00
obache
a6d5ad9edc Recursive bump from icu shlib major bumped to 49. 2012-04-27 12:31:32 +00:00
taca
de0ab2936c Bump PKGREVISION reflecting the default Ruby's version change. 2012-03-22 14:25:25 +00:00
pettai
85da4cec0f OpenDNSSEC 1.3.7
* OPENDNSSEC-215: Signer Engine: Always recover serial from backup,
  even if it is corrupted, preventing unnecessary serial decrementals.
* OPENDNSSEC-217: Enforcer: Tries to detect pidfile staleness, so that
  the daemon will start after a power failure.

Bugfixes:
* ods-hsmutil: Fixed a small memory leak when printing a DNSKEY.
* OPENDNSSEC-216: Signer Engine: Fix duplicate NSEC3PARAM bug.
* OPENDNSSEC-218: Signer Engine: Prevent endless loop in case the locators
  in the signer backup files and the HSM are out of sync.
* OPENDNSSEC-225: Fix problem with pid found when not existing.
* SUPPORT-21: HSM SCA 6000 in combination with OpenCryptoki can return RSA key
  material with leading zeroes. DNSSEC does not allow leading zeroes in key
  data. You are affected by this bug if your DNSKEY RDATA e.g. begins with
  "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize
  incoming data before adding it to the DNSKEY. Do not upgrade to this version
  if you are affected by the bug. You first need to go unsigned, then do the
  upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not
  produce data with leading zeroes and the bug will thus not affect you.


OpenDNSSEC 1.3.6

* OPENDNSSEC-33: Signer Engine: Check HSM connection before use, attempt to
  reconnect if it is not valid.
* OPENDNSSEC-178: Signer Engine: Instead of waiting an arbitrary amount of
  time, let worker wait with pushing sign operations until the queue is
  non-full.
* Signer Engine: Adjust some log messages.

Bugfixes:
* ods-control: Wrong exit status if Enforcer was already running.
* OPENDNSSEC-56: ods-ksmutil had the wrong option for config file in the
  help usage text.
* OPENDNSSEC-207: Signer Engine: Fix communication from a process not
  attached to a shell.
* OPENDNSSEC-209: Signer Engine: Make output file adapter atomic by writing
  signed file to an intermediate file first.
2012-03-18 17:38:46 +00:00
pettai
3eeb991970 OpenDNSSEC 1.3.5
* Auditor: Include the zone name in the log messages.
* ldns 1.6.12 is required for bugfixes.
* ods-ksmutil: Suppress database connection information when no -v flag is
  given.
* ods-enforcerd: Stop multiple instances of the enforcer running by checking
  for the pidfile at startup. If you want to run multiple instances then a
  different pidfile will need to be specified with the -P flag.
* ods-ksmutil: "zone delete" renames the signconf file; so that if the zone is
  put back the signer will not pick up the old file.
* Signer Engine: Verbosity can now be set via conf.xml, default is 3.

Bugfixes:
* Bugfix OPENDNSSEC-174: Configure the location for conf.xml with --config
  or -c when starting the signer.
* Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain that
  becomes opt-out.
* Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals.
* Signer Engine: A file descriptor for sockets with value zero is allowed.
* Signer Engine: Only log messages about a full signing queue in debug mode.
* Signer Engine: Fix time issues, make sure that the internal serial does
  not wander off after a failed audit.
* Signer Engine: Upgrade ldns to avoid future problems on 32-bit platforms
  with extra long signature expiration dates. More information in separate
  announcement.
2012-01-23 11:19:26 +00:00
pettai
74d8aca6cf OpenDNSSEC 1.3.4
Bugfixes:
* Signer: Use debug instead of warning for drudgers queue being full,
  also sleep 10 ms if it is full to not hog CPU. This increased signing speed
  on single core machines by a factor of 2.
2011-12-12 09:07:22 +00:00
taca
690f629805 Enable build with ruby19/193 with dependency to net/ruby-soap4r. 2011-11-24 13:05:44 +00:00
pettai
d2da8209e3 OpenDNSSEC 1.3.3
Bugfixes:
* Auditor: Handle ruby 1.9 differences in ods-kaspcheck.
* Auditor: Require dnsruby 1.53 for bugfixes.
* Bugfix #262: Drudgers seem to be in a waiting state, but the RRset
  FIFO queue is full. Do an additional broadcast.
* Enforcer: Check HSM connection when waking up from sleep, attempt to
  reconnect if it is not valid. (r5511 in trunk, ported into the branch
  due to issues seen when CKR_DEVICE_ERROR returned by HSM.)
* libhsm: Added hsm_check_context() to check if the associated
  sessions are still alive. (Required for the above.)
* ods-ksmutil: key import was not setting the retire time.
* Signer Engine: Fix a threading issue, that could leave a zone without a task.
* Signer Engine: Update the signed zone file if only the $TTL or
  explicit TTL has been changed.
* Signer Engine: Remove the NSEC3PARAM RR when doing NSEC3 to NSEC rollover.
* Signer Engine: Deal with carriage returns (dos format) in zone file.
* Signer Engine: is PT0S means that refresh equals signtime.
* Signer Engine: Defense in depth in signer for duplicate keys.
* Signer Engine: Make sure that all required zonelist elements exist,
  otherwise error.
* Signer Engine: Warn the user if the serial is b0rk, and you can not
  use the serial from the signconf.
* Signer Engine: Log Auditor exit code.
* Fix a similar bug like #257: Error in ods-signerd, where a corrupted
  backup file results in an invalid pointer free().
2011-11-18 21:42:45 +00:00
pettai
9a675f7858 OpenDNSSEC 1.3.2
Bugfixes:
* Bugfix #257: Error in ods-signerd, where a corrupted backup file results
  in an invalid pointer free().
* Signer Engine: Mark that a zone has a valid signer configuration, after
  recovering the zone from the backup files.


OpenDNSSEC 1.3.1

Bugfixes:
* Auditor: Fix 'ZSK in use too long' message to handle new signer behaviour.
* Bugfix #255: RHEL6 patch to contrib/opendnssec.spec. (Rick van Rein)
* Bugfix #256: Make sure argument in "ods-control signer" is not stripped off.
* Bugfix #259: ods-ksmutil: Prevent MySQL username or password being interpreted
  by the shell when running "ods-ksmutil setup".
* Bugfix #260: "ods-ksmutil zone list" now handles empty zonelists.
* Enforcer: Unsigned comparison resulting in wrong error message.
* ods-ksmutil: fixed issue where first ds-seen command run on a zone would work,
  but return an error code and not send a HUP to the enforcerd.
* Signer Engine: A threading issue occasionally puts the default validity
  on NSEC(3) RRs and the denial validity on other RRs.
* Signer Engine: An update command could interrupt the signing process and the
  zone would get missing signatures.
* Signer Engine: Fix an issue where some systems could not copy the zone file.
* Zonefetcher: Check inbound serial in transferred file, to prevent
  redundant zone transfers.
2011-09-17 22:35:25 +00:00
obache
6b21e3b35c Bump PKGREVISION from RUBY_VERSION_DEFAULT changes. 2011-09-16 02:26:44 +00:00
pettai
4d7e026284 OpenDNSSEC 1.3.0
* Include simple-dnskey-mailer-plugin in dist.
* Enforcer: Change message about KSK retirement to make it less confusing.

Bugfixes:
* ods-control: If the Enforcer did not close down, you entered an infinite loop.
* Signer Engine: Fix log message typos.
* Signer Engine: Fix crash where ods-signer update
* Signer Engine: Also replace DNSKEYs if <DNSKEY><TTL> has changed in policy.
* Zonefetcher: Sometimes invalid 'Address already in use' occurred.
* Bugfix #247: Fixes bug introduced by bugfix #242.


OpenDNSSEC 1.3.0rc3

* Do not distribute trang.

Bugfixes:
* Fix test for java executable and others.
* Auditor: Fix delegation checks.
* Bugfix #242: Race condition when receiving multiple NOTIFIES for a zone.
* ods-kaspcheck: Do not expect resalt in NSEC policy.
* Signer Engine: Ifdef a header file.
* Signer Engine: The default working directory was not specified.
* Signer Engine: Handle stdout console output throttling that would
  truncate daemon output intermittently.


OpenDNSSEC 1.3.0.rc2

* Match the names of the signer pidfile and enforcer pidfile.
* Include check for resign < resalt in ods-kaspcheck.

Bugfixes:
* Bugfix #231: Fix MySQL version check.
* ods-ksmutil: Update now sends a HUP to the enforcerd.
* Signer Engine: Fix assertion failure if zone was just added.
* Signer Engine: Don't hsm_close() on setup error.
* Signer Engine: Fix race condition bug when doing a single run.
* Signer Engine: In case of failure, also mark zone processed (single run).
* Signer Engine: Don't leak backup file descriptor.
* signconf.rnc now allows NSEC3 Iterations of 0


OpenDNSSEC 1.3.0rc1

* <SkipPublicKey/> is enabled for SoftHSM in the default configuration.
  It improves the performance by only using the private key objects.
* Document the <RolloverNotification> tag in conf.xml.

Bugfixes:
* Bugfix #221: Segmentation Fault on schedule.c:232
* Enforcer: 'make check' now works.
* Enforcer: Fixed some memory leaks in the tests.
* Signer Engine: Coverity report fixes some leaks and thread issues.
* Signer Engine: Now logs to the correct facility again.


OpenDNSSEC 1.3.0b1

* Support for signing the root. Use the zone name "."
* Enforcer: Stop import of policy if it is not consistent.
* ods-signer: The queue command will now also show what tasks the workers
  are working on.
* Signer Engine: Just warn if occluded zone data was found, don't stop signing p
rocess.
* Signer Engine: Simpler serial maintenance, reduces the number of conflicts.
  Less chance to hit a 'cannot update: serial too small' error message.
* Signer Engine: Simpler NSEC(3) maintenance.
* Signer Engine: Temperate the number of backup files.
* Signer Engine: Set number of <SignerThreads> in conf.xml to
  get peak performance from HSMs that can handle multiple threads.

Bugfixes:
* Bugreport #139: ods-auditor fails on root zone.
* Bugreport #198: Zone updates ignored?
* Replace tab with white-space when writing to syslog.
* Signer Engine: Do not block update command while signing.
2011-07-27 03:13:25 +00:00
obache
9572f6d892 recursive bump from textproc/icu shlib major bump. 2011-06-10 09:39:41 +00:00
pettai
f93bc52bf9 OpenDNSSEC 1.2.1:
* ldns 1.6.9 is required for bugfixes.
* dnsruby-1.52 required for bugfixes.

Bugfixes:
* Auditor: 'make check' now works when srcdir != builddir.
* Auditor: Include the 'make check' files in the tarball.
* Enforcer: Fix the migration script for SQLite.
* Enforcer: Increase size of keypairs(id) field in MySQL to allow more than
  32767 keys; see MIGRATION for details.
* Enforcer: Minor change to NOT_READY_KEY error message.
* libhsm: Increase the maximum number of attached HSM:s from 10 to 100.
* ods-ksmutil: Send trivial MySQL messages to stdout when exporting zonelist
  etc. Otherwise the resulting XML needs to be edited by hand.
* ods-control: Fix for Bourne shell.
* Signer Engine: Prevent race condition when setting up the workers and
  the command handler.
* Signer Engine: Check if the signature exists before recycling it.
* Signer Engine: Quit when there are errors in the configuration.
* Signer Engine: Enable core dump on failure.
* Signer Engine: Explicitly close down log msg with null.
* Signer Engine: Backup state after writing output.
* Signer Engine: Allow update of serial if internal structure is not
  initialized.
2011-03-21 15:52:25 +00:00
pettai
54efb2faa6 OpenDNSSEC 1.2.0:
Bugfixes:
* Enforcer: Fixed a number of build warnings.

OpenDNSSEC 1.2.0rc3:

* Moved migration instructions to the file MIGRATION

Bugfixes:
* Bugreport #199: The previous DB schema change made the zone removal broken.
* Enforcer: When retiring old KSK, use TTL(ds) and not TTL(ksk).
* Enforcer: Minimize the set of DS RRs sent to DelegationSignerSubmitCommand.
* Enforcer: Replace tab with a space character in the DNSKEY printed to syslog.
* Enforcer: Fixed pontential format string bug.
* ods-ksmutil: Log to syslog when ds-seen changes a key to active/standby.
* Signer Engine: Don't be smart with RRSIG TTLs, the hsm will set them for you.
* Signer Engine: Set notify command for zone when receiving ods-signer update.
* Signer Engine: Update TTL of NSEC(3) records if SOA Minimum has changed
  in KASP.
* Signer Engine: Now logs to the correct facility.
* Signer Engine: Also remove NSEC records when detecting changes in
  signconf <Denial>
* Signer Engine: Dropped privileges before starting Zonefetcher.

OpenDNSSEC 1.2.0rc2:

Bugfixes:
* Signer Engine: Use the correct TTL for RRs after the $INCLUDE directive.
* Signer Engine: Also create new signature if TTL of RR has changed.
* Signer Engine: Drop old NSEC/NSEC3 records.
* ods-ksmutil: Fixed some memory leaks.

OpenDNSSEC 1.2.0rc1:

* New commandline option for the signer: ods-signer running.
* Allow connection to different MySQL ports in the Enforcer.
* Tone down and explain warning when converting M or Y to seconds
* ldns 1.6.7 is required for bugfixes
* dnsruby 1.51 is required for bugfixes

Bugfixes:
* Bugreport #187: ods-control signer start will return non-zero if start up
  failed (uses ods-signer running).
* Narrow glue at the zone cut is allowed, do not consider it as occluded.
* Move zone fetcher output to correct input adapter file.
* Enforcer shared keys on zones with ShareKeys disabled.
* Make names of key states consistent.
* Signer Engine file descriptor leak fix on engine.sock.
* Set explicit "unlimited" repository capacity to prevent random integer being
  read. Requires "ods-ksmutil update conf" to be run if using an existing
  database.
* Fix issue with key generation creating too many keys Ticket #194.
* Bugreport #189: Auditor did not handle white-space-seperated substrings
  for base64 text
* Bugreport #190: Auditor (and signer) does not handle case correctly
* Signer now silence stdout-output from the notify command

OpenDNSSEC 1.2.0b1:

* A new signer engine, written in c. Zones are maintained in memory, instead of
  in files on disk.
* Removed the python and python-4suite-xml dependencies.
* Remove separate autoconf for libhsm/conf/enforcer.
* Add option to disable building the signer.
* Signer logs statistics just after outputting a new signed zone.
* libhsm will skip processing (and not create) any public keys if the
  per repository option <SkipPublicKey/> is set.
* Keysharing improved - keys can now exist in different states on each zone
  that the key is in use for.
* Backup prepare/commit/rollback added for 2-step backups without taking the
  enforcer offline.
* Standby keys are now optional (default to 0) and should be considered
  experimental.

Bugfixes:
* Fix semantics of refresh value in Signer Engine.
* Auditor handles chains of empty nonterminals correctly.
* Recalculate salt immediately if the saltlength is changed.
* libhsm connected to slot 0 if the token label was not found.
  An error is now returned instead of connecting to the slot.
* Bugreport #102: Removed the obsoleted python-4suite-xml dependency.
* Fixed Known Issue: KSK rollover requires manual timing.
* Fixed Known Issue: Key rollover and reuse of signatures.
* Fixed Known Issue: Issue with sharing keys and adding zones.
* Fixed Known Issue: Quicksorter does not allow certain owner names
  (Quicksorter is removed, signer now reads and sorts the zone).
2011-01-24 20:30:28 +00:00
pettai
824c0448c4 OpenDNSSEC 1.1.3:
Bugfixes:
* Bugreport #183: Partial zone could get signed if zone transfer failed when using zone_fetcher
2010-09-13 07:53:06 +00:00
taca
2e576f5f32 * Ajust new ruby package's framework. 2010-09-10 07:40:32 +00:00
pettai
4ef9b45f02 OpenDNSSEC 1.1.2:
Dnsruby 1.49 now required (for correct zone parsing)
ldns 1.6.6 is required to fix the zone fetcher bug

Bugfixes:
* ods-control stop did not stopped zone fetcher (bug was introduced in 1.1.0)
* Auditor correctly handles chains of empty nonterminals
* Zone fetcher can block zone transfers if AXFR once failed.
  This is a bug in ldns versions 1.6.5 and lower.
  See KNOWN_ISSUES for more information.
* Bugreport #165: Ensure Output SOA serial is always bigger than Input SOA serial.
* Bugreport #166: Correct exit value from signer.
* Bugreport #167: Zone fetcher now also picks up changes when zonelist is reloaded
* Bugreport #168: ods-control with tightened control for the Enforcer
* Bugreport #169: Do not include config.h in the distribution
* Bugreport #170: Typo in a man page (ods-signer)
* Bugreport #172: Correction of some macros in a man page (ods-timing)
* Bugreport #173: A man page used a macro that does not exist (ods-ksmutil)
2010-08-30 13:51:57 +00:00
pettai
9edc252854 OpenDNSSEC 1.1.1:
Bugfixes:
* Bugreport #127: Large SOA serial numbers were not handled properly by signer
* Bugreport #133: Better handling of SOA serial when setting is 'keep'
* Bugreport #136: quicksorter could not handle standard bind format SOA rdata
* The Auditor could not handle the new way of rolling KSKs
* One log message in the Enforcer referred to an old command
* The Enforcer forgot to publish certain keys during transition between states
2010-07-16 22:22:38 +00:00
joerg
e51cf4c45c Fix dependency pattern 2010-06-19 14:21:57 +00:00
pettai
c4eb363ac8 OpenDNSSEC 1.1.0:
* Partial Auditor added
* Dnsruby-1.46 required
* Improved error messages when the system runs out of keys
* Optimise communication of signconfs for multiple zones sharing keys.
  Group zones in zonelist.xml by policy to get this benefit.
* Bugreport #101: Signer Engine now maintains its own pidfile.
* Jitter redefined: now in the range of [-jitter, ..., +jitter]
* Optimized sorter: quicksorter (sorter becomes obsolete).
* Optimized zone_reader, includes nseccing/nsec3ing (nseccer and nsec3er
  become obsolete).
* Enable database selection using --with-database-backend={sqlite3|mysql}
* Enable the EPP-client using --enable-eppclient
  For sending DS RR to the parent zone (experimental)
* Turn NSEC3 OptOut off by default
* Install kasp2html XML stylesheet
* Add simple kasp2html conversion script
* DNSKEY records communicated to an external script if configured
* The command 'ods-signer restart' is removed.
* Signer Engine now also reuses signatures after a change in NSEC(3)
  configuration or rolling keys.
* Quicksorter defaults to class IN.

And a lot of bugfixes...
2010-06-16 00:19:08 +00:00
pettai
2d6777e7df New better documentation is available, so point to those instead 2010-05-09 19:04:47 +00:00